Version 2.1 - Adopted on 24 May 2023
Version history
| Version 1.0 | 13 April 2021 | Adoption of the Guidelines for public consultation |
|---|---|---|
| Version 2.0 | 24 May 2023 | Adoption of the Guidelines after public consultation |
| Version 2.1 | 15 July 2024 | Editorial corrections |
Article 65(1)(a) GDPR is a dispute resolution mechanism meant to ensure the correct and consistent application of the GDPR in cases involving cross-border processing of personal data. It aims to resolve conflicting views among the LSA(s) and CSA(s) on the merits of the case, in particular whether there is an infringement of the GDPR or not, in order to ensure the correct and consistent application of the GDPR in individual cases. These Guidelines clarify the application of the dispute resolution procedure under Article 65(1)(a) GDPR.
Article 65(1)(a) GDPR requires the EDPB issues a binding decision whenever a Lead Supervisory Authority (LSA) issues a draft decision and receives objections from Concerned Supervisory Authorities (CSAs) that either it does not follow or it deems to be not relevant and reasoned.
These Guidelines clarify the applicable legal framework and main stages of the procedure, in accordance with the relevant provisions of the Charter of Fundamental Rights of the European Union, the GDPR and EDPB Rules of Procedure. The Guidelines also clarify the competence of the EDPB when adopting a legally binding decision on the basis of Article 65(1)(a) GDPR. In accordance with Article 65(1)(a) GDPR, the EDPB binding decision shall concern all the matters which are the subject of the relevant and reasoned objection. Consequently, the EDPB will first assess whether the objection(s) raised meet the “relevant and reasoned” standard set in Article 4(24) GDPR. Only for the objections meeting this threshold, the EDPB will take a position on the merits of the substantial issues raised. The Guidelines analyse examples of objections signalling disagreements between the LSA and CSA(s) on specific matters and clarify the EDPB’s competence in each case.
The Guidelines also clarify the applicable procedural safeguards and remedies, in accordance with the relevant provisions of the Charter of Fundamental Rights of the European Union, the GDPR and EDPB Rules of Procedure. In particular, these Guidelines address the right to be heard, the right of access to the file, the duty for the EDPB to provide reasoning for its decisions, as well as a description of the available judicial remedies.
These Guidelines do not concern dispute resolution by the EDPB in cases where: (1) there are conflicting views on which of the supervisory authorities concerned is competent for the main establishment (Article 65(1)(b) GDPR); or (2) a competent supervisory authority does not request the opinion of the Board in the cases referred to in Article 64(1), or does not follow the opinion of the Board issued under Article 64 (Article 65(1)(c) GDPR).
Article 65(1)(a) GDPR requires the EDPB to issue a legally binding decision whenever a Lead Supervisory Authority (LSA) issues a draft decision within the meaning of Article 60(3) GDPR and decides not to follow a relevant and reasoned objection expressed by a Concerned Supervisory Authority (CSA) or is of the opinion that the objection is not relevant or reasoned.
Article 65(1)(a) GDPR is a dispute resolution mechanism meant to ensure the correct and consistent application of the GDPR in cases involving cross-border processing of personal data. It aims to resolve conflicting views among the LSA(s) and CSA(s) on the merits of the case, in particular whether there is an infringement of the GDPR or not, in order to ensure the correct and consistent application of the GDPR in individual cases.
Under the so-called ‘one-stop-shop mechanism’, which applies to cross-border processing of personal data, the LSA acts as the sole interlocutor for the controller or processor for the processing at issue. The LSA is responsible for carrying out the necessary investigations, communicating the relevant information to all CSAs and preparing a draft decision. In accordance with Article 60(2) GDPR, the LSA may request at any time the other CSA to provide mutual assistance pursuant to Article 61 and may conduct joint operations pursuant to Article 62 GDPR. Prior to the adoption of the draft decision, the LSA is required to cooperate with the CSAs in an endeavour to reach consensus and the LSA and CSAs to exchange all relevant information. As part of the cooperation procedure, the LSA and CSAs are also required to exchange all relevant information with each other (Article 60(1) GDPR).
Once a draft decision has been prepared, the LSA shall submit this draft decision to all CSAs for their opinion and take due account of their views. Within four weeks after having been consulted, a CSA can express a “relevant and reasoned objection” to the draft decision. When no CSA objects, the LSA may proceed to adopt the decision. If any CSA expresses an objection, the LSA must decide whether it will follow the relevant and reasoned objection or is of the opinion that the objection is not relevant or reasoned. If the LSA does not intend to follow the objection(s) or considers the objection(s) are not relevant and reasoned, the LSA is obliged to refer the case to the EDPB for dispute resolution. If the LSA intends to follow the objection(s) that are deemed relevant and reasoned, it shall submit a revised draft decision to all the CSAs. The CSAs then have a period of two weeks during which they can express their relevant and reasoned objections to the revised draft decision (Article 60(5) GDPR). See also RRO GLS, paragraphs 2-3.
The EDPB will then act as a dispute resolution body and adopt a legally binding decision. The LSA, and in some situations the CSA with which the complaint was lodged, must adopt its final decision on the basis of the EDPB decision. The final decision of the competent supervisory authority will be addressed to the controller or processor and, where relevant, to the complainant.
These Guidelines clarify the application of Article 65(1)(a) GDPR. In particular, they clarify the application of the relevant provisions of the GDPR and Rules of Procedure, delineate the main stages of the procedure and clarify the competence of the EDPB when adopting a legally binding decision on the basis of Article 65(1)(a) GDPR. The Guidelines also include a description of the applicable procedural safeguards and remedies.
The present Guidelines do not concern dispute resolution by the EDPB in cases where: